Tuesday, January 11, 2011

Want to get access to someone else's financial transaction records? There's an even money chance their bank will help you do it.

In November the customer experience research firm Global Reviews phoned call centre operators at eight of Australia's leading banks including each of the big four.

Without identifying themselves as researchers in 20 calls to each bank they asked how they could get access to their friend or partner's account.

In all cases the first answer was that it was against the rules. But when pressed, call centre staff became more co-operative.

"The callers would say things like, my girlfriend needs to transfer money today, she's gone to work, I have to do it for her, she'll kill me when I come home tonight" said managing partner Peter Grist.

"Half the time after saying no the call centre staff would work with the caller to find out ways to do it."

Usually the method involved using internet or telephone banking and details such as account numbers and dates of birth that would be known to estranged or current partners...
Staff at the ANZ bank were significantly less keen to advise on how to break the rules than staff at the other banks.

When results from the ANZ are excluded the proportion of call centre staff prepared to advise strangers how to access customers accounts climbs to two thirds.

An extraordinary 15 per cent were prepared to go further.

"They said if the caller was worried about how to go on line and do it, they would stay on the phone and guide them through it. They don't illegally enter accounts themselves, but they do guide other people through how to do it."

"I was astounded that so many call centre operators would get so actively involved in helping someone break the rules. What didn't astound me was their desire to help. There's a massive drive for customer satisfaction. It is drilled into them," said Mr Grist.

"They weren't trying to be fraudulent. They knew the rules. But human beings like to help. And not just in banks. I think it would be the same in any industry."

Former Privacy Commissioner Malcolm Crompton whose consultancy helped fund the survey said what the banks and Vodafone had in common was their vulnerability to social engineering.

"Someone rings up and is incredibly nice and it is hard not to help. They get one bit of information from one call centre operator and use it to get more from another."

Where the two differ is that Vodafone apparently had no limits on how much information one operator could access. "What's needed are geographical limits, so that one shop can't get easy access to records from interstate, and category limits so that someone setting up an account doesn't have access to call records," he said.

Each of the banks surveyed has been sent a copy of a copy of the results. Mr Grist said they were surprised.